From 2a4528c749c7f1427c7decb2bbd944bea0a5491a Mon Sep 17 00:00:00 2001
From: greenknot <43061872+greenknot@users.noreply.github.com>
Date: Fri, 17 Jan 2020 06:38:21 +0100
Subject: [PATCH] Fix out-of-bounds read in wasm loader (#156)

---
 core/iwasm/runtime/vmcore-wasm/wasm_loader.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/core/iwasm/runtime/vmcore-wasm/wasm_loader.c b/core/iwasm/runtime/vmcore-wasm/wasm_loader.c
index cf9a5bf47..8d21afe7a 100644
--- a/core/iwasm/runtime/vmcore-wasm/wasm_loader.c
+++ b/core/iwasm/runtime/vmcore-wasm/wasm_loader.c
@@ -55,7 +55,15 @@ read_leb(const uint8 *buf, const uint8 *buf_end,
     uint64 byte;
 
     while (true) {
-        CHECK_BUF(buf, buf_end, 1);
+        /* Check if the byte count exteeds the max byte count allowed */
+        if (bcnt + 1 > (maxbits + 6) / 7) {
+            set_error_buf(error_buf, error_buf_size,
+                          "WASM module load failed: "
+                          "integer representation too long");
+            return false;
+        }
+        /* Check buffer */
+        CHECK_BUF(buf, buf_end, *p_offset + 1);
         byte = buf[*p_offset];
         *p_offset += 1;
         result |= ((byte & 0x7f) << shift);
@@ -66,13 +74,6 @@ read_leb(const uint8 *buf, const uint8 *buf_end,
         }
     }
 
-    if (bcnt > (maxbits + 6) / 7) {
-        set_error_buf(error_buf, error_buf_size,
-                      "WASM module load failed: "
-                      "integer representation too long");
-        return false;
-    }
-
     if (!sign && maxbits == 32 && shift >= maxbits) {
         /* The top bits set represent values > 32 bits */
         if (((uint8)byte) & 0xf0)